kubernetes

[따배쿠] Secret

bbiyak2da 2024. 12. 25. 10:11

Secret

ConfigMap과 Secret은 유사하나, Secret이 더욱 더 민감한 정보를 담고 있다.

Secret의 값들은 base64로 인코딩 되어있다.

secret 생성 시, Available Commands를 필수로 넣어줘야한다. ex) docker-registry, generic, TLS

 

 

실습

 

순서 : Secret 파일 생성 > Secret 생성 > Secret 사용

 

 

[nginx-config.conf 파일 생성]

root@master:~/Getting-Start-Kubernetes/11# vi genid-web-config/nginx-config.conf                                                                                    f
server {
    listen   80;
    server_name  www.example.com;

    gzip on;
    gzip_types text/plain application/xml;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

 

[Secret 생성]

root@master:~/Getting-Start-Kubernetes/11# kubectl create secret generic ttabae-secret --from-literal=INTERVAL=2 --from-file=./genid-web-config/
secret/ttabae-secret created

 

[Secret 확인]

root@master:~/Getting-Start-Kubernetes/11# kubectl get secrets
NAME            TYPE     DATA   AGE
ttabae-secret   Opaque   2      9s
root@master:~/Getting-Start-Kubernetes/11# kubectl describe secrets ttabae-secret
Name:         ttabae-secret
Namespace:    default
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
INTERVAL:           1 bytes
nginx-config.conf:  218 bytes
root@master:~/Getting-Start-Kubernetes/11# kubectl get secrets ttabae-secret -o yaml
apiVersion: v1
data:
  INTERVAL: Mg==
  nginx-config.conf: c2VydmVyIHsKICAgIGxpc3RlbiAgIDgwOwogICAgc2VydmVyX25hbWUgIHd3dy5leGFtcGxlLmNvbTsKCiAgICBnemlwIG9uOwogICAgZ3ppcF90eXBlcyB0ZXh0L3BsYWluIGFwcGxpY2F0aW9uL3htbDsKCiAgICBsb2NhdGlvbiAvIHsKICAgICAgICByb290ICAgL3Vzci9zaGFyZS9uZ2lueC9odG1sOwogICAgICAgIGluZGV4ICBpbmRleC5odG1sIGluZGV4Lmh0bTsKICAgIH0KfQo=
kind: Secret
metadata:
  creationTimestamp: "2024-12-25T01:16:44Z"
  name: ttabae-secret
  namespace: default
  resourceVersion: "421288"
  uid: 23a7c218-2dbd-47b5-b9db-5d64f3e1afd5
type: Opaque

 

Secret의 값은 base64로 인코딩되어 보이지않는다.

하지만 Pod로 passing 될 때는 디코딩되어 보인다.

 

Secret 사용하기

실습 (Secret을 컨테이너 환경변수로 사용)

 

앞에서 만든 Secret을 활용해보자

 

[genid-env-secret.yaml 파일 생성]

root@master:~/Getting-Start-Kubernetes/11# cat genid-env-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: genid-env-secret
spec:
  containers:
  - image: smlinux/genid:env
    env:
    - name: INTERVAL
      valueFrom:
        secretKeyRef:
          name: ttabae-secret
          key: INTERVAL
    name: fakeid-generator
    volumeMounts:
    - name: html
      mountPath: /webdata
  - image: nginx:1.14
    name: web-server
    volumeMounts:
    - name: html
      mountPath: /usr/share/nginx/html
      readOnly: true
    ports:
    - containerPort: 80
  volumes:
  - name: html
    emptyDir: {}

 

[Pod 생성]

root@master:~/Getting-Start-Kubernetes/11# kubectl create -f genid-env-secret.yaml
pod/genid-env-secret created

 

실습2 (Secret을 컨테이너 Volume Mount로 전달)

 

[genid-volume-secret.yaml 파일 생성]

root@master:~/Getting-Start-Kubernetes/11# vi genid-volume-secret.yaml
apiVersion: v1
kind: Pod
metadata:
  name: genid-volume-secret
spec:
  containers:
  - image: smlinux/genid:env
    env:
    - name: INTERVAL
      valueFrom:
        secretKeyRef:
          name: ttabae-secret
          key: INTERVAL
    name: fakeid-generator
    volumeMounts:
    - name: html
      mountPath: /webdata
  - image: nginx:1.14
    name: web-server
    volumeMounts:
    - name: html
      mountPath: /usr/share/nginx/html
      readOnly: true
    - name: config
      mountPath: /etc/nginx/conf.d
      readOnly: true
    ports:
    - containerPort: 80
  volumes:
  - name: html
    emptyDir: {}
  - name: config
    secret:
      secretName: ttabae-secret
      items:
      - key: nginx-config.conf
        path: nginx-config.conf

 

ttabae-secret이라는 Secret을 Container 내 /etc/nginx/conf.d로 Volume Mount 해서 사용

 

[Pod 생성]

root@master:~/Getting-Start-Kubernetes/11# kubectl create -f genid-volume-secret.yaml

 

[Pod 확인]

root@master:~/Getting-Start-Kubernetes/11# kubectl get pods
NAME                  READY   STATUS    RESTARTS   AGE
genid-env-secret      2/2     Running   0          12m
genid-volume-secret   2/2     Running   0          4s

 

[Container 접근 후 확인]

root@master:~/Getting-Start-Kubernetes/11# kubectl exec -it genid-volume-secret -c web-server -- /bin/bash
root@genid-volume-secret:/# cd /etc/nginx/conf.d/
root@genid-volume-secret:/etc/nginx/conf.d# ls
nginx-config.conf
root@genid-volume-secret:/etc/nginx/conf.d# cat nginx-config.conf
server {
    listen   80;
    server_name  www.example.com;

    gzip on;
    gzip_types text/plain application/xml;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
}

 

nginx-config.conf 파일이 정상적으로 Mount 된 것을 확인 가능하다.

Secret 생성 시, base64로 인코딩되어 해당 값들이 보이지 않았지만

해당 Secret을 동작하는 Application(ex. Pod)로 전달하게 되면 디코딩되어 값 확인 가능하다.

 

root@genid-volume-secret:/etc/nginx/conf.d# df -h
Filesystem      Size  Used Avail Use% Mounted on
overlay          29G  7.5G   21G  27% /
tmpfs            64M     0   64M   0% /dev
/dev/root        29G  7.5G   21G  27% /etc/hosts
shm              64M     0   64M   0% /dev/shm
tmpfs           7.7G  4.0K  7.7G   1% /etc/nginx/conf.d
tmpfs           7.7G   12K  7.7G   1% /run/secrets/kubernetes.io/serviceaccount
tmpfs           3.9G     0  3.9G   0% /proc/acpi
tmpfs           3.9G     0  3.9G   0% /proc/scsi
tmpfs           3.9G     0  3.9G   0% /sys/firmware
root@genid-volume-secret:/etc/nginx/conf.d# ls -l
total 0
lrwxrwxrwx 1 root root 24 Dec 25 01:44 nginx-config.conf -> ..data/nginx-config.conf

 

 

Secret 데이터 용량 제한

[참고 영상]

https://www.youtube.com/watch?v=aW2RAVnOHFY&list=PLApuRlvrZKohaBHvXAOhUD-RxD0uQ3z0c&index=36